Re: Newbie question



Joe, you rock!

Thanks very much for your help. I will give this approach a shot and see
what I can come up with.

I will also check out ADFS - if it's more efficient and makes my life easier
it's definitely worth looking into.

My only concern in this scenario is requiring partners to implement it,
especially those on a different web server platform (Linux, etc.). But I
will take a look.

Thanks again-

/Jason


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:O86QOnAlHHA.3996@xxxxxxxxxxxxxxxxxxxxxxx
Yes, you can do that. Essentially, a MAC is a hash of some data that has
been encrypted with a shared key. To verify the MAC, the "other side"
decrypts the encrypted hash and then recalculates the hash of the data
that was provided (the username). If the hashes match, then the data has
not been tampered with.

A digital signature is very similar technologically except that it uses an
asymmetric key pair and generally includes a certificate of some sort so
that you can verify the identity of the private key holder. The verifier
only has the public key (from the certificate), so they cannot actually
generate the signature themselves, only verify.

The .NET Framework has some nice support for MACs (check out the various
HMAC classes).

You could pass the MAC as a second query string parameter. It is
generally a blob of arbitrary binary, so you may need to base64 encode it.

The main gotcha is that encryption and hashes are performed on binary
data, not strings. Strings exist as binary when they have been converted
to binary by a specific binary encoding. Thus, you need to use the same
encoding on both ends. Usually, you just want to use UTF8 to convert
string -> binary. You also need to be careful about any potential URL
canonicalization issues (url encoding, weird unicode sequences, etc.).
That can be a little tricky. However, an 80% solution is probably easily
doable.

I still think you should use ADFS for this and not invent your own
protocol, but suit yourself. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Jason" <JasonJason@xxxxxxxxxxxxx> wrote in message
news:%23aOjPOAlHHA.1340@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Joe,

I'm not familiar with MACs or digital signatures, but I definitely want
to know that the request is coming from a trusted source.

How would the MAC or signature be transmitted to my site?

Would it be acceptable to have the partner encrypt the MAC with the
symmetric key and send it in the querystring as well?


/jason


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OzrAYQ4kHHA.208@xxxxxxxxxxxxxxxxxxxxxxx
You are trying to create the equivalent of a federated identity
management using a custom protocol of your own design. You would be
much more well suited using one of the standards-based protocols for
implementing federated identity such as WS-Federation or SAML 2.0.
WS-Federation is the protocol used by Microsoft's ADFS system and is
what I would recommend here. However, it does place demands on your
partners to implement ADFS on their side as well.

ADFS does give you a secure, standards-based way of transferring
identity between partner organizations though with a lot more
flexibility than the system you have suggested.

That said, encryption isn't really as important here as tamper
resistance. Essentially, your key goal is to ensure that an end user
can't just type whatever they want for the user name. You want to
ensure that the value was generated by something you trust.

You generally do this with a digital signature or message authentication
code (MAC). They are similar, but signatures typically use
public/private keys where as MACs use symmetric keys. Symmetric crypto
is usually easier to code than asymmetric, but the down side is that you
need to exchange a symmetric key.

Note that if you want any of this to be secure, you need to combine this
with SSL. Whether or not you encrypt or sign the value representing the
username, if someone else can see the query string, they can steal it
and impersonate the user.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Jason" <JasonJason@xxxxxxxxxxxxx> wrote in message
news:%23Ei6i80kHHA.4312@xxxxxxxxxxxxxxxxxxxxxxx
OK, go easy, I'm a crypto-newbie, and also not sure if this is the
right group for this posting.

Here's the scenario:

I have a web site and want business partners to be able to link to my
web site from theirs, so I provide them the html syntax they can put on
their site to link to an .aspx page on mine.

If a user is signed on their site, I want that user to be signed on on
my site, so these corporate partners also have the option of sending
additional information in the querystring of this link that relays
information about the user currently logged in at their site (user id,
name, etc.).

e.g. href='http://www.abc.com/target.aspx?id=123456&username=jason'

I want this information to be encrypted so it is secure

e.g. href='http://www.abc.com/target.aspx?id=h5gv2k&username=e6fy1'

When my target.aspx page gets the request, I can look for the
querystring parameters (username, id, etc.), decrypt the values, and
take some action.

Here's my approach:

After doing some reading, it seems like public-key encryption is the
way to go. I would provide a public key for each corporate partner to
use for encrypting these values, and retain a private key for each
partner that I could use to decrypt the data in the code behind my
target.aspx page.

To do this, I'd use either the DSACryptoServiceProvider class or the
RSACryptoServiceProvider class.

So I have some questions:

1. Will my corporate partners be able to encrypt their data using the
RSA (or DSA) library of their choosing?

2. Must they use the same certain version to encrypt the text as I'll
be using to decrypt the text? A platform-specific version?

3. Which of these is the better choice?

4. Any gotchas I should be aware of (certificates that need to be
installed on the server, etc.)?

and finally, to keep an open mind,

5. Is there a better way to solve this need?


TIA,

/jason









.



Relevant Pages

  • Re: Newbie question
    ... You are trying to create the equivalent of a federated identity management ... using a custom protocol of your own design. ... it does place demands on your partners to implement ADFS on their ... Will my corporate partners be able to encrypt their data using the RSA ...
    (microsoft.public.dotnet.security)
  • Re: Newbie question
    ... a MAC is a hash of some data that has ... Would it be acceptable to have the partner encrypt the MAC with the ... You generally do this with a digital signature or message authentication ...
    (microsoft.public.dotnet.security)
  • Re: Newbie question
    ... I'm not familiar with MACs or digital signatures, ... How would the MAC or signature be transmitted to my site? ... Would it be acceptable to have the partner encrypt the MAC with the ...
    (microsoft.public.dotnet.security)
  • Re: Encryption Mac -> Windows
    ... accessing them on a Windows computer. ... I am not aware of any program that will encrypt files on a machine using ... Mac OS or Win OS and decrypt them on another machine without that other ... My wife and I have both PPC and Intel Macs. ...
    (comp.sys.mac.apps)
  • Re: Stream Cipher for encypting voice traffic
    ... email address bounces. ... Stream Cipher for encypting voice traffic ... MAC failure and be rejected before they are listened to. ... VPN you might now have to encrypt at all, ...
    (sci.crypt)